Community discussions

MikroTik App
 
User avatar
maroon
Member Candidate
Member Candidate
Topic Author
Posts: 233
Joined: Thu Oct 07, 2004 11:15 am
Location: Lebanon
Contact:

dual wan / single lan / port forwarding / policy routing

Wed Oct 14, 2009 5:14 pm

My scenario is very simple

I have two internet connections:

1- Primary connection dedicated for Exchange server that is published to the internet (Ports published: TCP/443; TCP/25 only)
2- Secondary connection dedicated for local users and it's main purpose to allow the users surf the internet and as a backup access to the exchange server if the primary connection goes down.

All PC's and Servers are on the same LAN (192.200.200.0/24)

My questions are:

1- how to configure a policy routing to always allow exchange server pass through primary connection (src-nat or masquerade) and to serve any external request to the exchange that is published (dst-nat)?

2- how to configure a policy routing to always allow traffic from users to pass through the secondary connection? and how can I make sure that if I request exchange server (OWA service on port TCP/443) on secondary connection will route to the published service (HTTPS OWA)?

BTW, I have read the following tutorial http://blog.butchevans.com/2008/09/mikr ... n-example/ but unfortunately no luck, no support and no dice!
Mikrotik Support and Outstanding SQUID performance configuration is available...(Youtube caching with ZPH support) is available!
 
User avatar
bellis
newbie
Posts: 49
Joined: Wed Nov 05, 2008 1:15 am
Location: Woodland, WA
Contact:

Re: dual wan / single lan / port forwarding / policy routing

Wed Oct 14, 2009 10:13 pm

using a mangle rule, chain=prerouting, action=mark routing

set the other variables, such as src-add and dst-add for catching incoming traffic that you want to rout specifically, then set the action to a routing mark based on the connection you want it to go out

then create routes as you normally would, but also include the routing mark you specified in your mangle.
"If it ain't broke, you're not tryin"
 
User avatar
maroon
Member Candidate
Member Candidate
Topic Author
Posts: 233
Joined: Thu Oct 07, 2004 11:15 am
Location: Lebanon
Contact:

Re: dual wan / single lan / port forwarding / policy routing

Thu Oct 15, 2009 7:57 am

Thanks for the hints... but please I need more tips about the routing table... since I have two gateways!!!
Mikrotik Support and Outstanding SQUID performance configuration is available...(Youtube caching with ZPH support) is available!
 
rpress
Frequent Visitor
Frequent Visitor
Posts: 87
Joined: Thu May 07, 2009 5:13 am

Re: dual wan / single lan / port forwarding / policy routing

Thu Oct 15, 2009 6:25 pm

Yes it is a tricky thing to have dstnat services on two gateways...

Setup your routing table like so:
/ip route
add check-gateway=ping comment="Internet - Primary" disabled=no distance=1 \
    dst-address=0.0.0.0/0 gateway=xxx.xxx.240.193 scope=30 target-scope=10
add comment="Internet - Failover" disabled=no distance=2 dst-address=\
    0.0.0.0/0 gateway=xxx.xxx.184.66 scope=30 target-scope=10
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    xxx.xxx.184.66 routing-mark=dsl scope=30 target-scope=10
You can see the primary internet has a check-gateway=ping and the failover has a distance of 2. The third entry will force the routing through the failover if the routing-mark=dsl.

Then set up the mangle rules:
/ip firewall mangle
add action=mark-connection chain=forward comment="From DSL interface" \
    connection-state=new disabled=no in-interface=inet_dsl \
    new-connection-mark=inet_dsl passthrough=no
add action=mark-routing chain=prerouting comment="For DSL interface from LAN" \
    disabled=no dst-address=xxx.xxx.60.102 dst-address-list=!exclude_nat \
    in-interface=lan new-routing-mark=dsl passthrough=no
add action=mark-routing chain=output comment="For DSL interface from router" \
    disabled=no dst-address-list=!exclude_nat new-routing-mark=dsl \
    passthrough=no src-address=xxx.xxx.60.102
This does the routing-mark so packets can return to the DSL interface. It also adds a connection-mark if the packet arrived from the DSL interface. exclude_nat is a list of local subnets that don't go to the internet.

Now using that connection mark do a srcnat rule so that the packets from the LAN coming back to the router will go out the correct interface:
/ip firewall nat
add action=src-nat chain=srcnat comment="Incoming NAT for DSL interface" \
    connection-mark=inet_dsl disabled=no to-addresses=xxx.xxx.60.102
Simple as that, hah! I'm sure there are other ways to do it too. Then just add your dstnat rules and everything should work ok.
 
cusco
newbie
Posts: 34
Joined: Tue Jun 29, 2010 2:34 pm

Re: dual wan / single lan / port forwarding / policy routing

Tue Oct 16, 2012 5:33 pm

Hello, I am still having trouble figuring this out.

What is address xxx.xxx.60.102 ? it is neither gateway... is it any random address just to mark the source, thus routing trough the right gateway ?

does connection-mark stick even when the server replies with new packets?

Who is online

Users browsing this forum: dioeyandika, Google [Bot], uhuz and 60 guests